Posted
by
timothy
on Tuesday July 30, 2013 @11:07AM
from the keep-your-friends-close dept.

ectoman writes "Are firms responsible for GPL violations on code they receive from third parties? A German court thinks so. The Regional Court of Hamburg recently ruled that Fantec, a European media player maker, failed to distribute 'complete corresponding source code' for firmware found in some of its products. Fantec claims its third-party firmware supplier provided the company with appropriate source code, which Fantext made available online. But a hackathon organized by the Free Software Foundation Europe discovered that this source code was incomplete, and programmer Harald Welte filed suit. He won. Mark Radcliffe, an IP expert and senior partner at DLA Piper who specializes in open source licensing issues, has analyzed the case—and argued that it underscores the need for companies to implement internal GPL compliance processes. 'Fantec is a reminder that companies should adopt a formal FOSS use policy which should be integrated into the software development process,' he writes. 'These standards should include an understanding of the FOSS management processes of such third-party suppliers. The development of a network of trusted third-party suppliers is critical part of any FOSS compliance strategy.'"

Actually at the core of the issue here is not really the GPL. At the core is that they got the code from another company and relied on that company adhering to the license.

Basically the ruling says that when you got the code from a third party, you cannot rely on the third party acting correctly when determining whether your use of the code complies with the license. If the third party violated the license (in this case, by not providing the complete source code), it doesn't protect you from the responsibility of checking the correct licensing yourself when redistributing the code.

That it was about GPL code is only tangential to the issue (although it's almost certainly the reason why it ended up on Slashdot).

Basically the scheme is the following: A gives code to B under a given license. B then gives the code to C in a way that violates A's license. C relies on B having followed A's license and figures out that redistribution in a certain way would not violate A's license. However since B's analysis rests on the false assumption that B complied, it turns out that C's redistribution of the code also violates A's license. But with a closer inspection, C could have found out that B didn't comply. The court ruling now says that C is responsible for violating the license.

Here A is whoever owns the copyright for the code in question, B is Fantec's firmware supplier, C is Fantec, the license is the GPL, and the violation is not distributing the complete corresponding source code.

Basically the scheme is the following: A gives code to B under a given license. B then gives the code to C in a way that violates A's license. C relies on B having followed A's license and figures out that redistribution in a certain way would not violate A's license. However since B's analysis rests on the false assumption that B complied, it turns out that C's redistribution of the code also violates A's license. But with a closer inspection, C could have found out that B didn't comply. The court ruling n

All of them contain software, I damn well hope you obtained all the sourcecode for their softwareand had it fully checked for all license compliance, as otherwise you are responsible in exactlythe same way. The people who SOLD the non-complant software ORIGINALLY should beresponsible, however thats not whats being done here.

THAT is why this is bad, for everyone.In fact the GPL doesnt even require you to sell it, is lending your car to someone distrib

While I agree with what you're saying and I think the decision is correct, the problem is that when companies read articles such as this, all they see is, "If we use open source, we could get sued and screwed for something a third party did."

It makes the use of GPL licensed software appear unpredictably dangerous. And there's no getting around that.

Using code at all is unpredictably dangerous. In most cases, it is impossible for someone to prove that a particular piece of software does not incorporate any unlicensed third party code. Software patents make it all even murkier. Such is life with "intellectual property".

If you compile the software yourself from source, you have at least some chance at finding violations yourself. On the other hand, if you get handed a binary blob to redistribute, you better have a very trustworthy supplier.

While I agree with what you're saying and I think the decision is correct, the problem is that when companies read articles such as this, all they see is, "If we use open source, we could get sued and screwed for something a third party did."

It makes the use of GPL licensed software appear unpredictably dangerous. And there's no getting around that.

To be honest, businesses should be putting open source under the same scrutiny they have for commercially licensed software as well.

Yes, they should follow the license for all code they use.No, this would not have been an issue if they had used code under BSD.Yes, if I had a company that was producing code based on OSS, I'd be making sure I was using BSD licensed (or one of the other more liberal licenses).

It's a simple matter of risk, BSD licensed code is less risky for companies to use. That's not good or bad, it just is.

Yes, they should follow the license for all code they use.
No, this would not have been an issue if they had used code under BSD.

The problem is that Fantec received code from a third party. If the third party told them correctly what license applied, and Fantec acted accordingly, they would have been fine. If the license had been BSD but the third party lied and Fantec acted accordingly, they would have been fine most likely. If the license was GPL (as it was in this case) or proprietary, the supplier lied, and Fantec acted on the false information (which they did), obviously there was trouble.

But the problem isn't GPL; the problem is not being told which license applied and acting wrongly because of that false information.

It probably wouldn't have cost them as much as most likely it would have been settled out of court without the need for lawyers and court fees, the BSA just wants to get paid after all and will negotiate,whereas with the GPL there is NO negotiation nor compromise because like it or not that is the way RMS designed the license.

What I personally don't get when it comes to these cases is...why? Why would you bother taking the risk of using GPL code when you aren't a FOSS company and risk possible lawsuits like

What I personally don't get when it comes to these cases is...why? Why would you bother taking the risk of using GPL code when you aren't a FOSS company and risk possible lawsuits like this? If you don't want to be a FOSS company there is BSD and there is plenty of proprietary solutions so there is really no damned point in taking the risk when your company isn't a FOSS based company.

They are not in electronics manufacturing business, they are in relabeling Chinese crap business. They dont care about licenses shmihences until you poke them with a very sharp stick. Chinese also dont care about licenses and WOULD provide all the source code (they already do to their own Chinese partners) if that was the requirement.

It probably wouldn't have cost them as much as most likely it would have been settled out of court without the need for lawyers and court fees, the BSA just wants to get paid after all and will negotiate,whereas with the GPL there is NO negotiation nor compromise because like it or not that is the way RMS designed the license.

Nonsense. With the BSA it would have cost thousands in licensing fees as they dug into the entire company. The vast majority of GPL-related incidents are resolved out of court.

Why would you take the risk of using proprietary code? Most proprietary vendors have lawyers on retainer and tend to be less forgiving of violations.

If you read TFA you'll see that this is not their first time violating the GPL on the plaintiff's code. The first time, they were allowed to correct the error and sign an agreement that they wouldn't let it happen again. There was a monetary penalty attached to further violations. They did, in fact, violate the licence on the same software AGAIN. They were offered the opportunity to correct the error, pay the agreed upon penalty and call it good, but they refused. Then and only then did they get sued.

How often do you get one for free when violating a proprietary license?

The fact is, most of the time GPL authors will be satisfied if you simply correct the error that they point out. Particularly if it looks like it was simply an error.

It probably wouldn't have cost them as much as most likely it would have been settled out of court without the need for lawyers and court fees, the BSA just wants to get paid after all and will negotiate,whereas with the GPL there is NO negotiation nor compromise because like it or not that is the way RMS designed the license.

The vast majority of GPL violations get handled out of court. Anecdotal evidence seems to suggest that the payment in most cases is zero.

Most actual court cases around GPL software seem to be brought by Harald Welte, and he in particular settles almost all cases outside court.

What does it mean to be a FOSS company? The way you use it, it's pretty much meaningless. It's a smoke screen. You're trying to make an argument, but you seem yourself a bit puzzled as to what argument you're after.

GPL is a comparatively simple license, and compliance is fairly easy. If someone claims that it's hard, they IMHO admit to being dense. I still don't get it why would someone need to label themselves "a FOSS company" in order to, you know, comply with the terms of just one one of the multitude of

To be perfectly clear: I would rather a world where labor to create a work is done and paid for once, and the infinite monopoly granted to any who refuse to work without assurance of pay would be applied to content creation as it is in all other labor fields. Yes, I would rather a world where no copyrights existed at all; Where to get more money you would have to do more work instead of sell more copies which are infinitely reproducible and thus valueless:Econ101: infinite supply == zero price;// regardless of cost to create.

Not monetizing copies but the work which yields their infinite supply instead is actually how the open source model of software production operates. As a car mechanic or home builder or burger joint would: I do an estimate, agree on a price for the new work (code | feature | installation | maintenance | etc.), then do the work once and get paid once for it, then seek more projects to do more work to get paid further. Instead of the insanity of selling ice to Eskimos -- or 1's and 0's to folks with computers -- I get paid proportional to my work.

Conversely, since copyright does exist, I am not free to utilize any other available configuration of 1's and 0's already created and thus in infinite supply. In response to the ridiculous state of copyright whereby I am disadvantaged by my sane work practice and since I do not foolishly work for free then gamble my livelihood in the closed source copyright futures market -- A market where the work can go underpaid or unpaid if the market value didn't match the demand leading to job insecurity, and whereby the publisher middle men can drain the consumers of orders of magnitude more wealth than the cost to create the work (see how that works? The workers are disadvantaged, yes?); In response for being held to these ridiculous laws in order to make a living in society I choose to assert that my end users have all the rights and capabilities granted to any others who would monetize my work. Unable to rid the world of all copyrights, I expect businesses to obey them as I must. I merely expect that the business community enriched with unbounded advantages provided by GPL'd code not disadvantage me by disallowing my future work upon projects such code makes possible.

Now, perhaps you are feckless enough to assume I can simply ignore copyrights if I want. Perhaps you assume a person can have security in their future while their small business breaks copyright laws at will, and allows others to close off future job opportunities by not releasing source code as the contract under which the work was performed would require. Perhaps you would say: "Just deal with bad actors making a less of a viable future for you." Perhaps you would say the blame lies with me for publishing my code in the first place, and ignore all the other compliant businesses which my work bolsters all of at once and I thus thrive upon. Perhaps you would think we allow ever more egregious infringement of the open source copyrights to proliferate while allowing the brutal punishing of end users for minor copyright infringements against proprietary licensors. Perhaps you would say, that I "might get used. Deal with it.", and then ignore that dealing with it is exactly what is being done in TFA...

So you would make speculative IP creation impossible. Before you created any IP, you would have to establish contact with all possible customers and agree, and contract, a price for the IP you would create. This was the way the system used to work in the 18th century: Dr Johnson had to line up a number of sponsors before he produced his dictionary. The same applied for music: Bach needed a sponsor for his cantatas etc. The invention of copyright then produced an explosion of publishing: because people could retain the IP of their putative great works, they could publish speculatively (possibly with funding from a publisher), and if indeed it turned out they were great works, they would be repaid for their efforts,

Your proposal would, I think, destroy the literature and magazine industries. Yes, magazines have subscribers. But why should I subscribe if I can get a copy as soon as the magazine is published? How can the editor of a magazine get enough readers to contract for something that they will receive free once the first user has received it? How can the writer who/thinks/ he has a great book make a profit from it when the first review copy can be Torrented for free? Why create any new work of literature? Music is slightly different: a live performance is different from a recording, and some groups distribute recordings for free in order to get fans at their concerts. But, in the days of the Kindle etc., an e-copy of a book is approximately as good as a hard copy.

Literature and music are not the same things as burgers and car repairs. The invention of copyright had a massive positive effect on human culture. Very little of the music you listen to and the books and magazines you read would exist without it. Of course, I am not saying that the existing system is perfect - very far from it. Its application to programs and code is very defective. But in throwing the whole thing out, you are losing the good as well as the bad.

I agree that the idea of copyright is a good one. I hope most here understand that people who create something like music or software deserve a chance to make a profit before everyone can just download it for free and give nothing back in return. Open source works because there are enough people willing to give back something whether it's a bug report or a few lines of code. Everyone is better off if the software isn't really the thing that is being sold. Now sometimes the software is the thing that is being sold and those who create it 'closed source' deserve to make some money IF people want to use it. In my opinion the problem with copyright isn't the idea, it's a solid and workable method to encourage people and business to create new things. The problem like most problems is that the populace wasn't paying attention and what was a good idea was twisted into a terrible monster just as patents have been. I'm not saying its our fucking fault but I am saying we collectively need to fucking put in some effort to fix it. I have no idea if that's really possible anymore since government has become just as much a monster as copyright and patents, more so even.

Anyway copyright should be limited, No more than 10 years I'd say. If you can't make your money back in that time frame than you fucked up. Patents I think should be something like 5 years or maybe 7. I don't know but I think a sold per-reviewed study could look at all the various industries and pick apart their profit reports and find the sweet spot for both copyright and patents. We have to wash away the greed and absurdness of both these good idea's gone bad. I can't image anyone who really thinks logically that someone should be able to live the rest of their life because they wrote one song 20 years ago. It just doesn't make any fucking sense. There is nothing magic about making music, movies or software. The only difference is once you have made them you have an unlimited supply of them which some people think means it should be worthless and free but if that was the case than no one would bother putting in the time. Sure you'd have some people doing it as a hobby but that isn't the same as doing it as a business and polishing whatever it might be over and over again because you don't have a day job taken up all your time.

I think the US got copyright right way back when but we all closed our eyes for a moment and greed twisted it into something we all hate and despise. The only other thing I have to add is those caught using something that is copyrighted for personal use shouldn't be bankrupted for it. They should have to pay for the product plus a fine of a grand or three. Now people making bootleg copies should face much hasher penalties and corporations that knowingly screw over others should get their asses handed to them since it's going to be rare to catch them in the act.

I'd like to see these problems fixed because I think it would lead to a new renaissance of creativity. Which was the whole point of these laws to begin with.

I earn a living writing copyrighted works (software), and I'm still against copyright. And it has nothing to do with not wanting to "pay a dollar for a song" - I'm more than happy to do so (as long as it doesn't feed the RIAA).

I have a question for you. Why is it that you can take literary works and sample from them without violating copyright but GPL'ed code is viral? If they are both based on copyright, why can't you take small samples of code and incorporate it into non-gpl'ed code? Isn't that hypocritical of you? Why is is that you create a derived work from a literary work and by just rewriting it, you have to pay no royalties and yet GPL advocates want the original author to be able to "steal" all of the derived works even

If the sample is quite small, you probably could, regardless of the licence, but there would be some legal risks. Just like any other sort of work. For example, pick a popular novel, copy the 1st chapter and write a different story from there. Let's see if you survive the court battle. OTOH, lift a single line and you may be OK. Actually, with just one line, you're much more likely to be OK with GPL software than with a popular novel.

The GPL violations that get people in trouble tend to be a lot more copyin

> Why is it that you can take literary works and sample from them without violating copyright but GPL'ed code is viral?> If they are both based on copyright, why can't you take small samples of code and incorporate it into non-gpl'ed code?You can. Who said otherwise? Just as you can quote a few sentences from a book, you can copy a few lines from a GPL work.You can't copy-paste several pages from a typical book, under normal circumstances, and you can't copy-paste several pages from a GPL work with

I didn't mean to imply that you said they should get a pass; you didn't. It just seemed to me that your statement carried an assumption that the alternative was not itself a double standard, which seemed odd.

'A german court thinks so'?Under very few legal codes is it OK to distribute something that you do not have the appropriate copyright/licence.Even if you don't investigate properly to find out if you do or don't, that doesn't get you off the hook.It may alter the penalties, but the fundamental legality isn't really in question, pretty much anywhere.

Raising 'GPL' is a red-herring here - 'Oh - I diddn't realise that machine had an unlicenced copy of windows on it' - is exactly the same case.

I seem to recall a German court doing the same thing with MP3 licencing and Microsoft about 10 years ago. They licenced it from someone who did not have the rights, and MS got fined, not the supplier. At least they're consistent.

Under very few legal codes is it OK to distribute something that you do not have the appropriate copyright/licence.

Distribution is fine. It's copying that is restricted by copyright.

For example, I can go and buy a game in a box from a shop. I then give you that game. I'm distributing the game, but I am not copying it. Copyright doesn't stop me because copyright is for copying, not distribution.

Why does that matter? Well consider this: what happens when I buy a machine with GPL software preinst

A previous employer of mine really really really wanted to offer FOSS support & products as part of their lineup. In the end, the lawyers won, as they couldn't craft a policy that would allow anyone other than a lawyer to make the decisions. This was mostly for GPLv2 and v3, but they got the dev managers completely wound up about all the license types. Mostly this resulted in the company punting on the FOSS idea.

It's not terribly surprising that some small outfit decided to outsource the responsibility, assuming they were in a similar "analysis paralysis" situation. Too bad they did not understand the intent of the licenses and just "do the right thing."

Compliance is easy. Never even look at GPL code. If it's not under BSD, don't touch it.

That is completely idiotic in this context. The problem wasn't that the company used GPL code and didn't comply with the license. The problem is that they bought code from another company, they believed that they had all the copyrights, and the company that sold the code cheated on them.

That can happen with proprietary code as well, as Microsoft found out when a company sold them lots of video code that they had originally written for Apple, and to which Apple had the copyrights.

Or if they had appropriately specified a deliverable in source form that they then ran make on to produce the binary firmware.

So you're saying that if they had told the same 3rd party that delivered mis-matched source and binary for some reason to stick to BSD they would have magically become competent and not included any GPL or proprietary code anyway?

It's not that easy. You have to make sure that the BSD code is not taken from a GPL project, which is essentially what happened in this case (although it was proprietary code taken from a GPL project). You have to audit the code to make sure the person who gave it to you is telling the truth (even if they are honest, they might not realize where code was given to them).

Later a GPL zealot finds the code in a commercial project and runs around like a chicken with it's head cut-off. Later still it's explained to them what happened and they disappear, never to apologize. Rinse, repeat.

Later a GPL zealot finds the code in a commercial project and runs around like a chicken with it's head cut-off. Later still it's explained to them what happened and they disappear, never to apologize. Rinse, repeat.

If this happens so often you'd have an actual, concrete example of this happening, right?

Don't forget to hire a sooth sayer to vet all of your code, as the foundation of this case is that Fantec did not check what license the code was under. If they had, they wouldn't have been in violation.

It is not a common practice to have lawyers involved in software tool decisions. Having worked as a software engineer and consultant for companies ranging from 3 employees to Fortune 500s. None of them ever had lawyers review software licenses.

At my most recent job at a Fortune 500, I reported 2 cases where we were completely ignoring licenses: one was a click-through that said I agree to allow the company logo to be used in their marketing. Naturally, I have no such authority and putting that in a click

I remember reading that that the GNU GPL is a license, not a contract [lwn.net], and that most proprietary software is accompanied by both. My vague understanding is that lawyers aren't familiar enough working with the GNU GPL's 'bare license' situation.

I remember reading that that the GNU GPL is a license, not a contract, and that most proprietary software is accompanied by both. My vague understanding is that lawyers aren't familiar enough working with the GNU GPL's 'bare license' situation.

That's very unlikely. Legally, it is quite trivial: GPL allows you to do certain things. So you check: Is your use allowed either by copyright law, or by the GPL. If yes, then you're fine. If not, don't use it.

The GPL says roughly "you may do X if you do Y". Because it's no contract, it means if you do X without doing Y then you have copyright infringement. Without the GPL license, doing X would be copyright infringement, whether you do Y or not. If it was a contract, the copyright holder could force you

The outsourcing is what got them into trouble in the first place. They got both a binary and sources from their supplier and assumed that those two matched, without verifying that by doing the build themselves.

If you think FOSS licensing is confusing, try a proprietary license where even just using the software internally can lead to liability and they're not going to let you go if you say you're sorry and won't do it again.

It appears that when asked to comply with the license by posting the code they actually used, the company lied and said they weren't using iptables.Contrast that to when I pointed out to Plesk that they were violating the Apache license. They very quickly apologized and posted the code, putting an end to the issue. All they needed to do is post the code that they compiled in order to come into compliance.

The court opinion is six pages, Im guessing three of those are boilerplate. Are there any fluent speakers of German who can read through it and tell us the facts as expressed by the court?

The court opinion is six pages, Im guessing three of those are boilerplate. Are there any fluent speakers of German who can read through it and tell us the facts as expressed by the court?

The court didn't really go into much of anything, in short it concluded that the source was incomplete which means no rights were granted by the GPLv2 which means their distribution was a copyright violation. That they didn't know about it seems entirely irrelevant to the ruling. In fact it's so totally absent that going by this ruling you might think that if your copyright is violated, you can sue every mirror and every one of them would be guilty, no matter how much good faith belief they might have it's

Why would anyone with a pathological need to "win in the market" or "be associated with the cool brand" bother with BSD to begin with?

> Did anyone try to work things out with the company?

No. People just like to litigate for fun. They like to waste the money.

Don't be such an idiot. If anything gets in front of a judge it's because one or both sides refused to compromise. The FSF has a long history of quickly dispensing these things by allowing the offending party to come into compliance.

Ooooo, someone's a little butthurt, yeah? BSD offers more freedom and is a license that wasn't cooked up by a bearded, fat-ass Jew who likes to eat his own toejam.

Why do you actually care? If you don't want to comply with the GPL then don't use GPLed code - your choice.

As a developer I actually *don't care* if you use my code - my code is written to do a job I need it to do, and rather than keeping it all to myself I release it in case its useful to other people. I usually use GPL under the premise that any improvements someone makes to the code will be made available to other people - they're benefitting from my code, why shouldn't other people benefit from their

Yes, Fantec was approached in an effort to work it out.
Their initial reaction was to deny everything.
When confronted with undeniable proof, they simply blamed a contractor and said that they were not responsible. ...at least, that's what the articles I read reported.
At that point, what options are left?

If you had, you'd know that this is the second time they have violated the license on that code and that the first time they were allowed to simoply correct the error and sign an agreement not to do it again with a penalty to be paid if they did. You would also know that they DID do it again and were offered an out of court settlement where they (again) correct their error and pay the agreed upon penalty. You would finally know that they refused that offer and then (and only the

A third-party firmware supplier could also supply you something that included copyrighted code under some other license (doesn't have to be a free software/open source one) without meeting the requirements of the license. And you would distribute that infringing on the copyright.

Of course if the source code isn't supplied it's harder for the copyright holder to find out.

It looks like there is an attempt to make an example of this company when perhaps mediation would have been a more suitable approach give they attempted to comply but failed procedurally rather than pursued a policy of wilfully evasion.

Probably. This isn't the first time this has happened. They aren't the first company to fail to audit code their suppliers provided. At some point you have to stop and say "OK, by this point everybody ought to know what they need to do. It's been in the news enough that nobody can claim it's not well-known. So from here on out, no more excuses. No more passing the buck. You know what you need to do, do it or accept the consequences.". If you don't, the failures won't be addressed.

Shouldn't any company including any third-party code in their products already have a process in place to make sure that code's all properly licensed and they're in compliance? This isn't about GPL or FOSS code. If one of your suppliers includes proprietary code in the firmware they supply to you that isn't properly licensed or you aren't following the license terms don't you have the same problem?

3rd party code is a fucking disaster no matter where you get it, who wrote it, or who sold it to you. When my company needed a supplemental CRM utility, I wrote it. It works perfectly and is still on version 1.0.0. Our current CRM software is so poorly laid out and coded that they people responsible would get a D if they're lucky in my 2-year technical college advanced programming course. I got the only perfect 105% score in that class in the college's history. What's the difference? In labor hours, i

'Fantec is a reminder that companies should adopt a formal FOSS use policy which should be integrated into the software development process,' he writes. 'These standards should include an understanding of the FOSS management processes of such third-party suppliers. The development of a network of trusted third-party suppliers is critical part of any FOSS compliance strategy.'

Or, they could just say "that's too much hassle, let's stop being involved in FOSS development".

If they were given the code that was under the GPL under conditions that diverged from the GPL, then they are only in violation of the GPL if they further distribute it under different conditions from the GPL.

One analogy that I'm particularly fond of in this matter is that if you receive a counterfeit bill and you somehow become aware that it is counterfeit, if you still try to spend it knowing that it is counterfeit, you are actually breaking the law. If you don't know that it's counterfeit, you aren't

Being ignorant about what the code you're building a product from is no one's fault but the vendor's. I agree 100% with the ruling.

Too many people like to try to play the "I didn't know" card. You're responsible for knowing what you're distributing, especially when you're charging for a product.

I recently worked for a company that had to completely rework a piece of their product line because one developer decided he liked a GPL'd library better than a more-free-for-commercial-use library. It cost t

If you are not - as a buisness selling software (even if in embedded hardware) requiring your suppliers to state that all software used is compliant with relevant licences, with appropriate penalty clauses or indemnification if they are not - then your lawyers don't deserve to be employed.

Exactly the same happens if you ship unlicenced windows on your systems.

Hopefully yes. Having dozen more companies simply grabbing bits of GPL stuff and closing it because nobody dares to do anything is a loss. If you are still in 'OMG an actualy company looked at my code and wants to sell it! I am so honored!' phase, then by all means choose BSD for all your stuff.

This isn't going to make it easier to convince companies to adopt the GPL. It's not necessarily accurate, since Fantec clearly didn't exercise due diligence with their third-party software, but that's what a lot of upper management is going to hear.

I don't doubt the theoretical potential for this to be FUDed; but it isn't as though Fantec would have been any better off if their shoddy firmware contractor had been out of compliance with code under any other licence... Somehow, the fact that you can get your ass handed to you for violating software licenses seems to be Super Scary when it's OSS; but just part of doing business when it's proprietary; but it's the same principle at work either way.

If the firmware had been proprietary and in-house (either their house or the contractor's) they wouldn't have been in violation; but 3rd-party proprietary components would have played out in almost exactly the same way.

If the Fantec product had been proprietary, they wouldn't have been under violation, and they couldn't have verified if there was a licensing issue with any firmware provided by their supplier, which would have been noted in any good contract.

No more so than they could with GPLed software.

Their supplier provided them with a product which incorporated third party code. The supplier assured them that the third party licence was being adhered to. This turned out to be incorrect, and Fantec got hauled up for breaking the licence. In this case the third party code was GPLed, but lets suppose that it came from Microsoft under one of their licences - if the licence hadn't been adhered to they still could've been hauled up to court.

They didn't adopt the GPL they borrowed code that was GPL so they had to do less work rather than spend tends of thousands of dollars doing the work themselves. It's not the first time I've heard of a company thinking their added code totaling a fraction of a percent of the project is somehow worth more than the rest. It's also not the firs time I've seen willful ignorance on behalf of a device maker.

I few years back I was sourcing some kit for an ISP and discovered the ADSL modems were based on Linux + BusyBox. I asked the manufacturer if I could have the source so we could try some local modifications only to be told "the chipset maker doesn't supply that" and I would have to talk to them (in China) about it. I argued the point but they refused to accept that they had a legal obligation. Fortunately about a year later they entered into a settlement with the gpl-violations.org but by then I was no longer working for that ISP.

The whole point of GPL and other open source is indeed to save you money so that you don't reinvent the wheel. There is nothing wrong whatsoever with using open source to save yourself extra work. You never need to "adopt" GPL principles to use GPL code.

The whole point of GPL is that it's a bargain, you get the code and you share the improvements if you distribute the result. That bargain is not being met if they refuse to release the source code and that's my whole point. We have companies who think the device driver they add is somehow worth more than the rest of the project and so they shouldn't have to follow the rules.

Not only did they not exercise due diligence to start with, it appears that when asked to comply with the license by posting the code they actually used, the company lied and said they weren't using iptables. Had they simply said "oops, sorry about that, here's the code we compiled" it would have been resolved with just a few minutes of time.

That second scenario is what Plesk did. I pointed out they weren't in compliance and as an Apache copyright holder I insisted that they comply.They immediately posted the Apache code they were using, ending the matter. The only effect on them is that now a couple of Slashdot readers know that they did the right thing.

I think that's the big takeaway - when you mess up, don't lie and initiate a cover-up, just fix it and move on.

To make matters worse, this is the second time they violated the GPL on the same code. The first time they were allowed to fix it and sign an agreement not to do it again with an agreed upon penalty for non-compliance.

I missed that part, and yes, trying to cover it up only hurts. I still expect a fair number of management employees to walk away with the soundbite that GPL equals lawsuits.

Hopefully the management employees will also notice that the average number of GPL violation cases going to court is below 1 per year, and that most of the settlements are really, really cheap.

Hopefully they will not notice that there are very few developers of GPL'd software who are willing to defend it in court, and therefore the GPL can be ignored on most code if you are sufficiently brave.

This isn't going to make it easier to convince companies to adopt the GPL.

That's their problem, to be honest. And it's good for me if they wish to make themselves less competetive by giving into FUD.

The thing is the same issue applies equally to GPL code and proprietary code. If a third party had used someone else's proprietary code, they'd be in an even bigger heap of shit, but no one would be saying that it is going to hinder the uptake of proprietary code.

That's their problem, to be honest. And it's good for me if they wish to make themselves less competetive by giving into FUD.

You've taken the words out of my mouth. I was just going to say that re-use of de-facto industry standard GPL code in most cases brings huge financial savings. If my competitor doesn't want to leverage that, it's their loss. Same goes for re-use of open communications protocols. Bitch all you want about "dinosaurs" like, say, X.25, but that thing is by now patent free and comes with an extensive machine readable conformance test suite, and is a free download. There is way more if you care to dig in the ITU-